INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Transcription

1 Digital Signature Introduction to Computer Security Lecture 7 Digital Signature October 9, 2003 Construct that authenticates origin, contents of message in a manner provable to a disinterested third party ( judge ) Sender cannot deny having sent message (service is nonrepudiation ) Limited to technical proofs Inability to deny one s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security 1 INFSCI 2935: Introduction to Computer Security 2 1

2 Common Error Classical Digital Signatures Classical: Alice, Bob share key k Alice sends m { m }k to Bob Does this satisfy the requirement for message authentication? How? Does this satisfy the requirement for a digital signature? This is not a digital signature Why? Third party cannot determine whether Alice or Bob generated message INFSCI 2935: Introduction to Computer Security 3 Require trusted third party Alice, Bob each share keys with trusted party Cathy The judge must trust the trusted party Cathy Alice Bob Cathy { m }k Alice { m }k Alice { m }k Bob Bob Cathy Bob To resolve dispute, judge gets { m }k Alice, { m }k Bob, and has Cathy decipher them; if messages matched, contract was signed, else one is a forgery INFSCI 2935: Introduction to Computer Security 4 2

3 Public Key Digital Signatures (RSA) Alice s keys are d Alice, e Alice Alice sends Bob m { m }d Alice In case of dispute, judge computes { { m }d Alice }e Alice and if it is m,, Alice signed message She s the only one who knows d Alice! RSA Digital Signatures Use private key to encipher message Protocol for use is critical Key points: Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer Sign message first, then encipher Changing public keys causes forgery INFSCI 2935: Introduction to Computer Security 5 INFSCI 2935: Introduction to Computer Security 6 3

4 Attack #1 Attack #2: Bob s Revenge Example: Alice, Bob communicating n A = 95, e A = 59, d A = 11 n B = 77, e B = 53, d B = contracts, numbered 00 to 25 Alice has Bob sign 05 and 17: c = m db mod n B = mod 77 = 3 c = m db mod n B = mod 77 = 19 Alice computes mod 77 = 08; corresponding signature is mod 77 = 57; claims Bob signed 08 Note: [(a mod n) (b mod n)] mod n = (a b) mod n Judge computes c eb mod n B = mod 77 = 08 Signature validated; Bob is toast! INFSCI 2935: Introduction to Computer Security 7 Bob, Alice agree to sign contract 06 Alice enciphers, then signs: Enciper: c = m e B mod nb = (06 53 mod 77) 11 Sign: c d A mod na = (06 53 mod 77) 11 mod 95 = 63 Bob now changes his public key Bob wants to claim that Alice singed N (13) Computes r such that 13 r mod 77 = 6; say, r = 59 Computes r.e B mod ϕ(n B ) = mod 60 = 7 Replace public key e B with 7, private key d B = 43 Bob claims contract was 13. Judge computes: (63 59 mod 95) 43 mod 77 = 13 Verified; now Alice is toast Solution: sign first and then enciher!! INFSCI 2935: Introduction to Computer Security 8 4

5 El Gamal Digital Signature Relies on discrete log problem Choose p prime, g, d < p; Compute y = g d mod p Public key: (y, g, p); private key: d To sign contract m: Choose k relatively prime to p 1, and not yet used Compute a = g k mod p Find b such that m = (da + kb) mod p 1 Signature is (a, b) To validate, check that y a a b mod p = g m mod p Example Alice chooses p = 29, g = 3, d = 6 y = 3 6 mod 29 = 4 Alice wants to send Bob signed contract 23 Chooses k = 5 (relatively prime to 28) This gives a = g k mod p = 3 5 mod 29 = 11 Then solving 23 = ( b) mod 28 gives b = 25 Alice sends message 23 and signature (11, 25) Bob verifies signature: g m mod p = 3 23 mod 29 = 8 and y a a b mod p = mod 29 = 8 They match, so Alice signed INFSCI 2935: Introduction to Computer Security 9 INFSCI 2935: Introduction to Computer Security 10 5

6 Attack Eve learns k,, corresponding message m, and signature (a, b) Extended Euclidean Algorithm gives d, the private key Example from above: Eve learned Alice signed last message with k = 5 m = (da + kb) mod p 1 = 23 =(11d ) mod 28 So Alice s private key is d = 6 INFSCI 2935: Introduction to Computer Security 11 Kerberos Authentication system Based on Needham-Schroeder with Denning-Sacco modification Central server plays role of trusted third party ( Cathy ) Ticket (credential) Issuer vouches for identity of requester of service Authenticator Identifies sender Alice must 1. Authenticate herself to the system 2. Obtain ticket to use server S INFSCI 2935: Introduction to Computer Security 12 6

7 Overview Ticket User u authenticates to Kerberos server Obtains ticket T u,tgs for ticket granting service (TGS) User u wants to use service s: User sends authenticator A u, ticket T u,tgs to TGS asking for ticket for service TGS sends ticket T u,s to user User sends A u, T u,s to server as request to use s Details follow Credential saying issuer has identified ticket requester Example ticket issued to user u for service s T u,s = s { u u s address valid time k u,s } k s where: k u,s is session key for user and service Valid time is interval for which the ticket is valid u s address may be IP address or something else Note: more fields, but not relevant here INFSCI 2935: Introduction to Computer Security 13 INFSCI 2935: Introduction to Computer Security 14 7

8 Authenticator Protocol Credential containing identity of sender of ticket Used to confirm sender is entity to which ticket was issued Example: authenticator user u generates for service s A u,s = { u generation time k t } k u,s where: k t is alternate session key Generation time is when authenticator generated Note: more fields, not relevant here user Cathy user user user user user TGS { k u,tgs } k u T u,tgs service A u,tgs T u,tgs user { k u,s } k u,tgs T u,s A u,s T u,s { t + 1 } k u,s Cathy user TGS TGS service service INFSCI 2935: Introduction to Computer Security 15 INFSCI 2935: Introduction to Computer Security 16 8

9 Analysis First two steps get user ticket to use TGS User u can obtain session key only if u knows key shared with Cathy Next four steps show how u gets and uses ticket for service s Service s validates request by checking sender (using A u,s ) is same as entity ticket issued to Step 6 optional; used when u requests confirmation Problems Relies on synchronized clocks If not synchronized and old tickets, authenticators not cached, replay is possible Tickets have some fixed fields Dictionary attacks possible Kerberos 4 session keys weak (had much less than 56 bits of randomness); researchers at Purdue found them from tickets in minutes INFSCI 2935: Introduction to Computer Security 17 INFSCI 2935: Introduction to Computer Security 18 9

10 Midterm Midterm Midterm date: October 16, 2003 Duration: Coverage: Closed Book: 2:30 minutes Material till today Yes Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security 19 INFSCI 2935: Introduction to Computer Security 20 10

11 Roughly speaking Chapter 1, 2, 4: 20% Chapter 3: 20% Chapter 5, 6, 7: 35% Chapter 9 and 10: 25% May vary slightly!! Chapter 1 Understand the general concepts/issues Understand the general concepts/issues Components of security: confidentiality, integrity, availability, etc. Threats Policy vs. mechanisms Assumptions of trust Assurance Specification/design/implementation Operational issues Cost-benefit; risk analysis; Human issues, etc. Organizational problems Security life cycle INFSCI 2935: Introduction to Computer Security 21 INFSCI 2935: Introduction to Computer Security 22 11

12 Chapter 2 Understand that access control matrix is an abstract model Understand the notation of state transitions Formal definitions of primitive commands Structure of conditional commands Principle of attenuation of privilege Chapter 3 Understand the working of Turing machine and the mapping Take-grant model Understand the concepts well Witness Sharing Stealing/conspiracy No need to remember definitions (e.g., initial/terminal spans, bridges etc.) SPM model Understand link/f, cc, crfunctions well Understand the examples well INFSCI 2935: Introduction to Computer Security 23 INFSCI 2935: Introduction to Computer Security 24 12

13 Chapter 4 Policy definitions Types of access control Policy language (Pandey & Hashii) Security and precision Observability postulate Secure and precise mechanism Understand the definitions no need to memorize (they will be provided if needed) Chapter 5, 6 and 7 Confidentiality: Bell-LaPadula model [5] Security levels, categories, dominates relation Not the formal model Integrity policies Biba s integrity models Lipner s integrity model Clark-wilson model Hybrid policies Chinese wall (informal) Clinical and originator control (understand the basic requirements) Role-based access control (NIST) INFSCI 2935: Introduction to Computer Security 25 INFSCI 2935: Introduction to Computer Security 26 13

14 Chapter 9 Classical crypto systems Transposition ciphers Substitution ciphers (caesar cipher) Vigenere cipher One-time pad Data Encryption Standard (DES) General working of DES Cipher Block Chaining mode Public-key Diffie-hellman RSA Cryptographic checkcsum Chapter 10 Classical cryptographic key exchange and authentication Basic protocol Needham-Schroeder Denning and Sacco Otway-Rees protocol Kerberos Digital Signature INFSCI 2935: Introduction to Computer Security 27 INFSCI 2935: Introduction to Computer Security 28 14